Cyber Risk News
Protecting the UK’s physical systems, such as energy grids, telecoms and the NHS, was the hot topic of debate during a keynote panel at Infosecurity Europe 2018 in London.
Spencer Summons, group head of information risk & security at Tullow Oil, kicked off the conversation saying a culture change is needed to make sure cybersecurity becomes front of mind going forward, in an industry that is predominantly focused on physical security and human safety procedures.
“Safety is a huge thing in an offshore environment and I don’t think cyber is seen in the same way as safety – but it’s getting there,” explained Summons, who works for an oil exploration company with many employees working on offshore vessels.
He said the immediacy of a cyber threat is less obvious than the threat to human life on a vessel out at sea, so it is more difficult to get members of staff to adopt further cyber-safety procedures, such as increasing the length of their passwords.
“But we need to ensure we continue to have security and culture change programmes as part of any security piece,” he said. “Part of the solution is about [board level] buy in, but the conversation doesn’t stop there, we need the same conversations at a tactical and operation level – and we can all agree it’s the people on the ground that are in control.”
Summons said it is about introducing emotion into cyberattack prevention. “It has to be real for them, so we’ve been showing hacker demos and showing them what might happen if someone hacks into their machines.”
Peter Gibbons, chief security officer at Network Rail, agreed, he said his employees take “great pride” with the physical assets they are responsible for. “And if they see someone tampering with it they get really upset, but they think cyber is something different.”
Changing the narrative
Network Rail has already been working on communicating the importance of cybersecurity throughout the business. Back in 2012 at the time of the London Olympics, Gibbons said the organisation changed its narrative when it came to cyber-attacks.
“The Olympics was a public transport event, there was no driving to the venues, so if the train stops running and no one gets to see Usain Bolt win the 100 metres, we’d be in the spotlight,” he explained.
“So from a business perspective we changed the narrative from a technical problem to a business problem. The story around cyber is not about losing a server in a rack, it’s about how many people didn’t get to work.”
Balancing cost savings
A question from the audience asked the panel how they balanced the need to upgrade cybersecurity systems versus the business drivers of cost savings and operational efficiency.
Summons replied that it comes down to what businesses believe forms a risk perspective, especially when the company has a huge number of legacy systems.
“How do we address systems already in existence that are arguably working well? We might look at some simple, physical security systems, particularly when looking at a vessel.”
But Summons said it comes down to making sure there is a representative stakeholder group which meets regularly to identify and prioritise risks, ensuring cyber has a seat at the table.
Nearly two-fifths (39%) of European businesses suffered DNS-related data theft over the past year, raising fears over GDPR non-compliance, according to EfficientIP.
The DNS security firm released findings from interviews with 400 respondents in Europe as part of its 2018 Global DNS Threat Report.
It found European companies are suffering a greater level of DNS-related data theft than the global average of 33%. The average cost per DNS attack has also risen strongly over the past year in Europe, by 43% to reach €734,000 — higher than North America and Asia Pacific.
However, in some countries the increase was even greater: in the UK the figure soared 105%, although firms paid a below-average €684,000. French organizations had the highest cost per attack at €847,000.
The DNS layer is always-on and running in the background, but as such often ignored by system administrators, despite containing multiple vulnerabilities thanks to its open design. That means many whitelist traffic, allowing attacks to proliferate.
These can include denial of service, compromising DNS servers with malware to take the user to malicious or phishing sites, and exfiltrating data via DNS tunnelling techniques.
The top five DNS-based attacks in Europe fall in line with the global top five, according to EfficientIP.
DNS-based malware (39%) was most popular, followed by phishing (34%), DNS DDoS attacks (20%), DNS tunneling (19%), domain lock-up (18%). The latter is a kind of denial-of-service attack in which domains and resolvers set-up by the attackers send random packets to DNS resolvers, “locking up” their resources so they are unable to deal with legitimate requests.
David Williamson, CEO of EfficientIP, said the findings are important in the context of the GDPR, which mandates that organizations follow best practices in securing customer and employee data.
“Surprisingly, our research shows European organizations have invested the least globally in technology which can prevent data theft,” he added. “In the year ahead, it will be interesting to see how European companies prevent data theft and avoid regulatory fines.”
Privacy International (PI) has sent England football manager Gareth Southgate an anti-surveillance kit to help mitigate the risk of rival teams spying on the Three Lions boss at the World Cup.
The rights group sent a Faraday cage specially designed by Agent Provocateur founder Joseph Corré, which can be used to block electromagnetic signals from reaching his devices.
It’s also sent a headline briefing warning the England boss that rival managers and Russia's fearsome security forces could hack his devices; activate the webcam and mic to eavesdrop on team talks and training; intercept phone calls; or even activate GPS tech to track Southgate’s movements, possibly with an eye on blackmail.
“If England are to stand any chance of progressing in the World Cup, Southgate will need to take all the precautions he can, including against spying,” argued PI state surveillance lead, Edin Omanovic.
“It's worth remembering that when governments hack, it's to gain a competitive edge against rival governments. Surely rival managers will all be wanting to gain a competitive advantage over each other in the biggest cup in the world.”
Privacy International is using the publicity stunt to highlight the UK Prime Minister’s flawed approach to encryption. Theresa May has repeatedly warned there should be no “safe spaces” on the internet for terrorists to hide and her new Investigatory Powers Act could even theoretically force providers to build encryption backdoors.
However, that same security is vital to protecting the privacy and security of law-abiding citizens and businesses, including the England manager and team.
The rights group has previous warned any visitors to Russia that their communications could be monitored by the authorities via SORM: the government’s “nationwide system of automated and remote legal interception infrastructure.”
Controversially awarded to Russia amid rumors of corruption and bribery, the FIFA World Cup will kick off next Thursday.
Hinchliffe works in the Unit 42 threat intelligence team at Palo Alto Networks and uses the frameworks ATT&CK and STIX to explore the lifecycle of cyberattacks. He described OilRig as an espionage adversary which over the last two years has been extracting information from governments, financial services companies and a number of non-profits in countries including Turkey, Saudi Arabia, Israel and Lebanon.
While Unit 42 has discovered that OilRig leverages malicious macro documents as part of its attack toolkit, it also uses custom tools, which Hinchliffe said has never been seen anywhere else before.
One example he gave of a malicious macro document attack used an end-point threat called Helminth which uses social engineering to illegally gather data from Microsoft Excel spreadsheets used frequently by governments and financial services.
“Sadly with most attacks it is phishing emails and using the human as the weakest link,” he said, explaining how the attackers will send an Excel document to its victim and even attach a .png image showing their victim how they want them to open the document.
“They are literally spelling it out for the victim.”
The compatibility warning in the excel was created by OilRig to look very similar to Microsoft’s own warning, tricking the user into running the code, which is hidden in the cells behind the manmade warning.
Custom attack tools
But it is when OilRig attacks servers directly with custom tools which is where the attack becomes unique.
Hinchliffe described how the first recorded attack of this type was called Two Face, where the attacker connected to a publically-facing webserver run by the victim, accessed by a webshell.
“It’s a lot more sophisticated than the end-point malware,” he said.
Meanwhile, a more recent server attack called an RG Door infection sees malware which “hooks” onto every get request or post request made to the victim’s webpage. This information passes through the adversary’s RG Door first, so it can manipulate the data.
Commenting on these direct server attacks, Hinchliffe said: “It’s a sophisticated way to communicate. And it prevents you having that beacon – that regular heartbeat saying ‘I’m here, I’m here’ – across the network, which is a bit more stealth.”
The now infamous VPNFilter malware thought to be the work of Kremlin-sponsored hacking group is worse than previously thought, affecting several new SOHO device manufacturers and containing additional threat capabilities, Cisco Talos has revealed.
The security vendor claimed in a new post this week that the attack campaign also affects devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. This is in addition to the original line-up of routers from Linksys, MikroTik, NETGEAR and TP-Link in 54 countries, as well as some QNAP network-attached storage (NAS) devices.
Cisco also revealed a newly discovered stage 3 module, named “ssler”, which “injects malicious content into web traffic as it passes through a network device.”
“At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge),” the firm noted.
“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”
That’s a dangerous new capability as it means the malware can attempt an exploit without a user having to visit a compromised site, click a link or open a malicious email attachment, according to Mounir Hahad, head of Juniper Threat Labs.
“It is obvious that the scope of this campaign is far bigger than initially thought. The ability to infect endpoints introduces a new variable and the clean-up process is more involved than just rebooting routers. Any exploit could have been used by the threat actors to target the computers behind infected routers,” he explained.
“At this point, it is important for people who had routers in the list of affected devices to make sure they have an updated anti-virus software running on their endpoints.”
Even though it's been more than two months and $2.7 million since a major ransomware attack nearly crippled the city of Atlanta, the aftershock continues to impact municipal employees across several departments.
At a 6 June Department of Atlanta Information Management (AIM) meeting, a city official requested an additional $9.5 million to try and correct the affected systems. Infosecurity Magazine attempted to contact AIM but has not received a response.
The city continues to work with private and government partners to understand the full scope of the attacks impact, but Atlanta's interim chief information office, Daphne Rackey, reportedly said that the number of impacted applications is more than 30% of the 424 mission critical programs. That number "seems to grow every day," Rackey reportedly told the Atlanta city council.
The attack, which came with the demand for $51,000 worth of Bitcoin that the city said it did not pay, encrypted city files, leaving customers unable to access city applications. Information on current city operations is available to residents, but whether any lost data has been restored is unclear because the city's website has not updated information on the attack since 30 March.
Several different agencies are said to have told the city council on 6 June that their workplace has yet to return to normal. "This has been painful on many fronts," Atlanta police chief Erika Shields told WSB-TV in a live interview on 1 June. Referring to the police dashcam data that was lost in the attack, Shields said, "That is lost and will not be recovered. That could compromise potentially a DUI case."
It's unclear what has been most painful for the department, however, because Shields also said that she is not overly concerned. "It's a tool, a useful tool, but the dashcam doesn't make cases for us."
Perhaps the greatest pains come from trying to investigate existing cases. A police department investigator, Matthew Condland, whose 105,000 files were corrupted, cited the attack as the primary reason he has yet to produce a key piece of evidence. Others expressed dismay over the dissemination of information since the attack, even though Atlanta implemented a new employee notification system, NotifyATL, after the attack.
The website's information for employees section explains that NotifyATL "will be used to inform you of critical work-related information by text, email and phone calls. If you have not yet registered, please do so. NotifyATL will be used for notifications in the future, so all employees will need to register to receive these work-related alerts. Go to the employee alert portal (bit.ly/CoA-Employee-Alerts) and click the sign-up link."
Too many organizations fail on incident response because they’re working from identikit plans with no agility to adapt to uncertainty, according to experts at Infosecurity Europe.
A panel debate on the final day of the show brought together CISOs, legal and PR experts to discuss what commonly goes wrong and how firms can improve their rapid response to a serious incident.
Nick Andrews, reputation management lead at PR firm Fleischmann Hillard, argued that too many internal processes are built around “assumed convenience” without realizing that when an incident hits, things can quickly escalate.
"Real life is messy and not neat. As soon as anything goes external you lose control,” he said. “Most organizations don’t think the unthinkable. We’re trying to create organizations that are nimble and can cope with the reality of uncertainty.”
Hunton & Williams partner, Bridget Treacy, added that too many plans are “cut and pasted” from other organizations without proper testing, meaning they can lack relevance.
She also argued that siloed approaches are also doomed to failure.
“It’s not just the responsibility of your information security people. Others need to participate,” she said. “Too often the right people are not being brought in at the right time into the mix. It can make a big difference to handling a breach.”
Communication was highlighted as a key aspect of effective incident response; both within the organization and in terms of how it engages with customers, media and regulators.
With so many interested parties that need to be informed, from the CEO to the ICO, “communication at various levels is the most critical type of work that needs to be done,” claimed Mashreq Bank CISO, Tamer Gamali.
Pearson IT security officer, Vincent Blake, added that the same skill is vital for CISOs.
“CISOs have got to be excellent communicators and entrepreneurial,” he argued. They need to be engaging so they can get issues across to the board.”
The discussion topic has extra relevance given the GDPR mandates 72-hour breach disclosures, reducing the potential window organizations have to gather information before they need to go public.
Several attendees claimed that few organizations will know much after just 72-hours, although Blake claimed that if forensics are situated front-and-centre in the security function they could gather a significant amount of information in just the first few hours.
However, a trained incident manager is essential to marshal these efforts, he added.
"America first" isn’t always a good thing, particularly when it comes to cyber-risk. Still, the US was number one on the list of nations from which the most risk to the internet originated, according to the third annual National Exposure Index released today by Rapid7.
Analysis of the current state of internet exposure revealed which geopolitical regions are most at risk for deliberate, wide-scale attacks on core services. “A country with a higher percentage of exposed services in relation to its total allocated IP address space will tend to score higher on National Exposure,” according to the report. North America, China, South Korea and the UK top the list of nations most vulnerable to cyber-attacks.
Combined, those nations control over 61 million servers listening on at least one of the surveyed ports. The report also found that nearly half a million exposed Microsoft Server Message Block (SMB) servers in the US, Taiwan, Japan, Russia, and Germany are targeted today.
“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL. Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack,” the report said.
This year has already made record for having the largest distributed denial-of-service (DDoS) attack using unsecured memcached user datagram protocol (UDP) servers; however, approximately 40,000 unpatched, out-of-date memcached servers remain at risk of being drafted into the next record-breaking DDoS attack.
While the report noted that it is nearly impossible to identify the country with the lowest risk exposure, the Federated States of Micronesia ranked 187 out of 187 countries on the list.
Rapid7 aims to use these statistics to identify the nations that can reduce their exposure to nefarious actors – particularly nation-state actors – by making improvements to their local infrastructures. According to the report, "This indicates to us that national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet."
Thousands of Australians are again being notified that their personal information was potentially compromised after a vendor that powers jobs and recruitment sites for companies around the world experienced a breach.
The Australian Cyber Security Centre (ACSC) is investigating the breach of Australian-based recruiting company PageUp to determine the full impact. ACSC continues its efforts to identify what data, if any, was compromised. Those likely to be most affected are in large part based in Australia.
“PageUp has indicated the incident is contained and the threat has been removed. They contacted the ACSC for advice and support, and have also informed the Office of the Australian Information Commissioner (OAIC) of the incident,” ACSC wrote in today’s news story.
As part of its incident response plan, PageUp has announced that there was unauthorized activity on its IT systems. The news has set off alarm bells for employers and job seekers alike. Major clients that rely on the recruitment firm include, among several others, the Reserve Bank of Australia, Australia Post, University of Tasmania, Australian Red Cross and Commonwealth Bank.
Though the company said that all client passwords are hashed using bcrypt and salted, it recommend users change their passwords as an added safety precaution.
CEO and co-founder Karen Cariss said that the suspicious activity was first noticed on its IT infrastructure on 23 May 2018. The company immediately launched a forensic investigation. “On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing,” Cariss wrote, adding there are no indications that an active threat still exists.
“Today, companies across the world are finding out that the path to their data is being provided by PageUp. For enterprises that don’t have a detailed understanding of the risks introduced by each and every third party in their digital ecosystem, it’s not a matter of if but when their data will be exposed by a third party. It’s like playing Russian roulette with your data, and that’s a game that rarely ends well,” said Scott Schneider, CRO at CyberGRX.
A persistent industry PR problem and over-prescriptive employer demands continue to frustrate efforts to close cyber-skills shortages, according to James Lyne.
“I’ve spoken to many people coming out of competitions saying ‘I didn’t realize there was a job in cybersecurity’ – so clearly there’s an advertising problem,” he argued.
Lyne also claimed that highly talented young cybersecurity enthusiasts find themselves presented with a huge barrier “to get onto the ladder of improvement” thanks to excessive demands from employers for professionals with several years’ experience.
“These are ridiculous problems in the face of industry skills gaps,” he argued.
Lyne explained how he ended up in cybersecurity via a circuitous and somewhat fortuitous route, claiming he may even have been tempted down a darker path had things worked out differently.
“I had a lot of online mentors at the time who I’ve never met who were hugely influential for me,” he said. “I think the biggest issue is showing people that there are good jobs here. At the moment it’s easier to offer anonymous hacking services on the dark web.”
Although Lyne admitted his career has been “filled with lucky interventions,” he’s working hard to ensure the next generation of cyber-enthusiasts don’t have to rely on luck to carve out a successful future in the industry.
He bemoaned the lack of focus in learning on understanding how things work, claiming modern tech professionals perhaps rely too much on off-the-shelf tools.
“We need to rebuild that ‘rip it apart’ culture,” said Lyne. “The level of understanding of how tech works has dropped off a cliff. Technology is just so usable out of the box.”
The government’s CyberFirst scheme, which Lyne was instrumental in developing, aims to achieve this by using gamification techniques to encourage more kids into the industry.
The former director general of GCHQ Robert Hannigan took to the keynote stage at Infosecurity Europe 2018 to discuss the evolving cyber-threat landscape, describing how – whilst changes in sophistication of lone actors and cyber-criminals are increasing the challenges of keeping data secure – it is the rise of nation state attacks that is “possibly the biggest change in the last couple of years.”
Hannigan said that risks surrounding nation state attacks have always been an area of concern to some extent, but recent changes in political intent have made them a real and significant issue in today’s landscape.
He pointed to activities in Iran and Russia as examples. “Iran have taken a very collaborated approach to cyber-activity, most publically through the DDoS attacks on banks a few years ago” Hannigan said, whilst at the higher end of sophistication, Russia have put a lot of investment into cyber-activity in the last 10 years.
“The biggest change [with Russia] is intent; the kind of prepositioning of a cyber-attack could go all sorts of ways,” he explained, “but if your geopolitical intent changes and you want to take risks and you don’t mind being found out and want to be destructive, that suddenly becomes very dangerous. I think that is what has changed for the West, not just online but in other areas in the last few years with Russia.
“The fact that both the US and UK governments have been talking about finding Russia on utility energy company networks and the infrastructure of the internet is really important and worrying, because of the intent.”
Nation state activities are increasingly becoming more sophisticated and more brazen, Hannigan added, and the real concern when it comes to nation state attacks is that the “risk of miscalculation could be huge."
“We haven’t yet seen anybody killed or seriously injured as a result of a cyber-attack, but if you start to tamper with industrial control systems, with health networks, it feels like it’s only a matter of time before somebody gets hurt and ultimately killed,” he said.
However, to conclude, Hannigan pointed out that 80% to 90% of cyber-attacks, regardless of their sophistication level, can be prevented or mitigated by doing the basics right.
“We should keep doing the basics,” he added, “and at a national level I’m really delighted with the progress the NCSC has made with active cyber-defense.”
A cultural and technological clash between IT and OT is hindering organizations’ efforts to mitigate the risk of serious cyber-physical attacks, according to Trend Micro.
The security giant’s VP of infrastructure strategies, Bill Malik, explained to Infosecurity Europe attendees that the fundamental goal of OT teams is to “ensure everything is safe and reliable.”
When it comes to information security teams, however, it’s all about ensuring data is not “lost, altered or disclosed.”
“These goals are out of mind for people running OT systems, so when you try to converge the two you end up with major conflict,” said Malik.
Where OT teams try to fix an issue as quickly as possible in order to preserve the integrity of the service, IT security teams want to find out what went wrong to prevent it happening again, he added.
“When you have people with expertise in their own domains working together, it results in a kind of ‘ritual combat’,” said Malik. “The biggest challenge is integrating their viewpoints.”
Another example of the disparity between the two ways of approaching cybersecurity is the DevOps concept of “fail fast and fix fast.”
“Let me tell you: 'fail fast' doesn’t work when you’re fixing a connected car, or a robotic surgery,” warned Malik.
The job of security managers is complicated further by the mass of different protocols used in the IoT world to enable communication between devices and controllers.
In healthcare, these challenges are compounded by the fact that medical devices in the US take 2-5 years to get certified, but if the software is upgraded they risk losing that certification. This means out-of-date and insecure platforms like Windows XP are not uncommon, warned Malik.
“Whether we’re talking about a power station, a hospital or your Alexa at home we need to be able to identify all vulnerable devices, ensure they’re properly segmented and know what activity is going on,” concluded Malik.
He added that organizations need to upgrade where possible to ensure devices are as secure as they can be, and to support modern, secure IoT architectures, as well as plan for regulatory mandates.
Europe’s new NIS Directive should go some way to helping improve the resilience of “essential services” providers to cyber-physical attacks, by raising baseline security standards. In the UK it applies to transport, energy, healthcare, water and other CNI sectors.
A third of global business decision makers said they’d rather cut costs by paying a ransomware demand than invest in security, according to NTT Security.
The managed security giant polled 1800 business leaders around the world to compile its Risk:Value 2018 report.
Worryingly it revealed that only around half of businesses are prepared to invest proactively in cybersecurity.
Most of them are doing so to prevent the damage to customer confidence (56%), and brand and reputation (52%) that can result from a breach.
Even more concerning is the fact that nearly half (47%) of respondents said they’d not been affected by a data breach, despite less than half (48%) claiming they had secured all their critical data. In the UK, nearly a quarter (22%) don’t even know if they have suffered a breach or not.
“We’re seeing almost unprecedented levels of confidence among our respondents to this year’s report, with almost half claiming they have never experienced a data breach. Some might call it naivety and perhaps suggests that many decision makers within organizations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic rather than realistic view,” said NTT Security’s senior VP EMEA, Kai Grunwitz.
“This is reinforced by that worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cybersecurity, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organizations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs.”
The estimated cost to recover from an incident has increased from $1.4m to $1.5m since last year. However, on the plus side, global respondents claimed it would take 57 days to recover from a breach, down from 74 days in 2017. In the UK the figure is lower still at 47 days.
After noticing a browser extension communicating with a suspicious domain, researchers analyzed the Google Chrome extension named Desbloquear Conteudo (unblock content) and found that it was a rare banker malware.
The extension, identified as HEUR:Trojan-Banker.Script.Generic has been removed from Chrome Web Store. According to Vyacheslav Bogdanov, researcher, Kaspersky Lab the man-in-the-middle (MitM) extension for Chrome was targeting users of Brazilian online banking services with the goal of collecting user logins and passwords in order to pilfer their savings.
MitM attacks redirect the victim’s web traffic to a spoof website. While the target is under the impression they are connected to a legitimate site, the flow of traffic to and from the real bank site is actually being redirected through an attacker's site so that the criminal can harvest the personal data they are after.
What's interesting about this particular extension is that the developers made no effort to obfuscate its source code. Instead, they opted for a MitM attack using "the WebSocket protocol for data communication, making it possible to exchange messages with the C&C [command-and-control] server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank."
Because the malware was targeting Brazilian users, Bogdanov suggested that the browser extension had the additional function of adding cryptocurrency mining scripts to the banking sites users visited.
“Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously. We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them,” Bogdanov said.
Israeli genealogy site MyHeritage has revealed details of a breach affecting over 92 million users.
The DNA testing service claimed in a statement on Monday that a security researcher contacted its CISO after finding a file containing the data on a private server outside of the company.
The details contained “all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”
The firm claimed that there’s no evidence the data has been used by the hackers or that any other MyHeritage systems, such as those containing card information or DNA data, were compromised.
“Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system,” the statement continued.
“We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.”
The firm has acted swiftly to set up an incident response team and an independent forensic review and said it will be rolling out 2FA to users soon. There’s also a 24/7 security customer support team on hand to answer any questions.
In the meantime, it urged users to change their passwords.
Commentators were broadly sympathetic to MyHeritage, claiming it did most of the security basics right.
“This breach of MyHeritage seems to be the rare instance in which a company in possession of sensitive data adhered to some of the best practices in password posture by not storing them in plain text but as one-way hashes,” said Balbix CEO, Gaurav Banga. It’s unfortunate that user email addresses were exposed, but by partitioning servers, using third parties for payment processing and encrypting passwords, MyHeritage has — at least so far — minimized the damage of this breach.”
Common vulnerabilities in IoT devices are especially prevalent in adult toys too.
Speaking on “Hacking Adult Toys” at Infosecurity Europe, Ken Munro from Pen Test Partners looked at a number of adult devices, some of which had basic authentication levels, static ID which enabled them to be controlled remotely and open ports for identification.
Munro highlighted some toys which were paired for multiple user sessions, while the Lovense vibrator has a standard Bluetooth PIN of 0000 and can be controlled by an Android app which stores, and never deletes, temporary image files.
Referring to research by Alberto Segura, Munro said that the Chrome plug-in for the toy which could identify a user as an online camera model simply by identifying by the email address.
In another case, a male toy could be controlled by Bluetooth, and inflate the inside of the toy remotely. Another toy’s mobile app “continuously probes for outbound connections” and if a user has connected this to a work phone, the person’s IT department will face multiple alerts. “By using this device you’re effectively telling your employer that you’re a cam model,” Munro said.
In other cases, Munro showed a Fleshlight toy that has a static link that never changes, while butt plugs can be gelocated and controlled via Bluetooth.
Munro demonstrated that code from a camera drone was used in a sex toy with a camera, and with a static IP address “admin” as the username, meaning it could stream video in real time “completely unprotected.”
In terms of disclosure, Munro said that a number of emails had been sent to manufacturers, but they had received no response.
“We have pushed hard for manufacturers to improve security, and porn is big business and we were shocked at the state of adult toys,” he said. “Vulnerabilities we knew about ten years ago are being sold to people and used in intimate situations.”
He concluded by naming Brad Render for his work in disclosure to adult toy manufacturers, and encouraged delegates to start making manufacturers listen “to get their security sorted” as SSL is not in place, there is pinning and pairing and no encryption used,” and the firmware is a train wreck - so do have a play and see security flaws and tell us and get them fixed.”
Researchers have discovered a traffic manipulation and cryptocurrency mining campaign infecting organizations across industries from finance to education and government. The Operation Prowli campaign has been spreading malware and malicious code to servers and websites around the world, and more than 40,000 machines reportedly have been infected.
The GuardiCore Labs team found that by using exploits, password-brute-force and weak configurations attackers have had widespread success with the Prowli campaign. Targeting a variety of platforms from CMS servers hosting popular websites to backup servers running HP Data Protector and DSL modems, the multipurpose operation also goes after IoT devices.
Relying on digital currencies and traffic redirection, the campaign has already victimized more than 9,000 companies. Traffic monetization frauds are trending on the internet where attackers leverage tech support scams and promote fake websites to lure unsuspecting users away from their legitimate websites. They are then redirected to a fake site where they fall prey to clicking on malicious browser extensions.
First identified on 4 April, a group of secure-shell (SSH) attacks were discovered communicating with a command-and-control (C&C) server. "The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner," GuardiCore wrote.
The researchers were able to trace the campaign around the world across several networks and found the campaign associated with different industries. "Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations. These attacks led us to investigate the attackers’ infrastructure and discover a wide ranging operation attacking multiple services."
The financially motivated attackers appeared to be targeting indiscriminately and went after domains that exposed a wide range of services to the internet. “Prowli exploits known vulnerabilities across WordPress, Joomla!, SMB, and even some DSL modems, so automated patching, along with continuous assessment and remediation, is critical to avoid these types of attacks," said Brajesh Goyal, CP of engineering, Cavirin.
These types of crypto-jacking attacks are escalating, said Dan Hubbard, chief security architect at Lacework. "Attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types."
Examining network traffic will help users discover whether they've been infected. GuardiCore also advised that segmentation is a good practice, as is routinely reviewing who and what can access the servers. "Keep this list to a minimum and pay special attention to IoT devices whose credentials cannot be changed. Monitoring connections would easily show compromised devices communicating with cryptocurrency mining pools."
At Infosecurity Europe 2018 security researcher James Lyne explored some of the latest tactics and techniques currently being deployed by cyber-criminals, with particular focus on how 2018 has seen the continued evolution of ransomware to become even more commoditized and business-like.
“I almost feel boring standing here talking about ransomware, as we must all be sick of the topic by now,” he said, “but there’s some quite interesting commercial and business model stuff happening.”
We’re all pretty comfortable with the effectiveness of ransomware, he added, and the fact that it is going to continue to be a part of the ongoing threat. “It’s brilliance is it’s ubiquitous applicability to all of us – stealing credit cards, targeting specific data, going after usernames and passwords, and ransomware struck on the gold of a model where they [attackers] don’t need to care about what data you have, just that you care about your data.
“Since January, there’s been a series of campaigns that are worth paying attention to,” he said. "They are ransomware-as-a service campaigns offering some interesting new features."
An example Lyne pointed to was a “web-based interface where you can set some options, customize the ransom price, the address and so on, click build and download and get delivered a nice, constructed up-to-date piece of malware that authors have put effort into making sure the security community isn’t going to detect.”
They’ve even started giving security advice: “we recommend you to download the file without the xe extension so you don’t accidently run it!”
Another new ransomware service Lyne highlighted is one that is “free for download and use – so we have ‘fremium ransomware’ – who wants to pay for a service in 2018? You login, generate your malicious code and you distribute it, but the difference is, unlike the products and services of before where you owned the ransomware, it’s now an advertising referral scheme. So you generate your malware, you distribute it, and this other criminal gang receives the money and pays you 40% of the profits – so there’s no upfront investment, no difficulties in dealing with the digital currency and potentially getting caught, you don’t even own the people you hack anymore! That’s how commoditized we are – people have options on referral cuts on compromising our computers.”